Nearly One Billion Emails & Personal Details Leaked from Verifications.io, Source was Picasa API?

Rajshekhar Rajaharia
3 min readApr 11, 2019

The Daily Mail and Forbes reported that personal information from 982 million email accounts included names, gender, dates of birth, employers and even residence in the database. Good news was that the info did not contain passwords or credit card details.

The online email database was created by a company called Verifications.io, which reportedly had no security measures in place. The company offered an “enterprise email validation” service for marketing companies to check whether email addresses were valid or not. Security Researcher Bob Diachenko discovered the breach in an online database created by Verifications.io that had no privacy protections in place.

What happened to Verifications.io after data leak?

Verifications.io took down their website after the leak was uncovered and they have refused requests for a comment on the situation.
Very few is known about the people behind the business with its backers maintaining their anonymity due to the dubious tactics it employs. Verifications.io domain is now available as a premium domain on Name.com for fresh registration in just around 5000 USD.

What was exposed in the email data breach?

All records contained the detailed profile information about the email owner. Millions of businesses profiles were also found in the email data breach. These records appear to mostly be made up of publicly available data. While no passwords were in the email data breach, all of the following were found:

  • Email addresses
  • Full names
  • Gender
  • Date of birth
  • Residence Details
  • Work and Designation etc.

How Verifications.io got your data?

This is the trending question that how Verifications.io got your data? After doing a lot of research i found that thousands of these type of marketing agencies were using Google Picasa Api to validate email address and to get detailed profile information about the email owner. Previously i also wrote two articles that how marketers and spammers were using Picasa Api to validate emails and to get detailed profile information about the email owner. Here is the Proof

Story 1 — More than 1 Billion Google users data is on risk

Story 2 — Billions Users Data was public through Google Picasa API

Picasa Web Albums Data API was giving a option to search any user profile detail by Email. Everyone was able to search any email id using Picasa API and Picasa API was returning their Name, Profile Update Time, Google Plus ID, Profile Picture and Album details etc. Google Apps or Business Accounts Details were also available their. Picasa API was a public API with no API Key or Token. There was no limit, People was able to request as much as they can. Anyone was able to fetch more than crores email’s data every day. You have Millions ,Billions Email IDs and their Google Plus ID. Now You can fetch further details via Google Plus API or Google People API using Google Plus ID. These API will return whole data like Gender, Education Details, Location, Work History, Designation etc etc. Now you have everything and you can use this data in any way.

Should you be worried?

Although the databases were accessible for some time, as soon as the problem was disclosed to Verifications.io, the service was taken offline and remains so. But marketing companies who having this data will start emailing in bulk. It also puts people at risk for robo calls and phishing attacks, which will try to lure even more personal information out of people.

--

--